Background: The CVV/CVV2 number ("Card Verification Value") on a credit card or debit card is a 3 or 4 digit number printed on the card. It is 3 digits on VISA, MasterCard and Discover branded credit and debit cards, and 4 digits on an American Express branded credit or debit card. The CVV code is not embossed on any of these cards.

My question: Is 3 or 4 digits enough for online transactions to be secure?

4 Answers
4

The credit card companies are aware of this, their anti-fraud detection software will block a card if they see more than a small number of attempts with incorrect CVV codes. Even having an understanding of the algorithms for generating CVVs a hacker would still have to get lucky to successfully be able to make a transaction.

As for whether it is a great system then the answer is no. It's still vulnerable to fraud, however it is much better than no CVV code at all. It's a quick and easy fix to add more security into the system until the industry can agree on a more permanent solution.

That's not really what the CVV2 number is for -- it's not a password for your credit card.

The purpose of the card security code is to indicate whether or not the card is present during the transaction. If the card is not present, then the transaction MUST be submitted without the verification code. In fact, if the card company finds out that you store this number in any way, then big fines for you.

So instead of simply asking, "Is the card present: yes/no", the card companies make you type in a number found on the card. It keeps people from giving the wrong answer. It's a bit like saying "ok, if you have the card in your hand, then quick, tell me what color it is." The information is not at all secret: it's printed right there on the card. It's trivial to obtain if you ever have access to the card. So making the code longer doesn't really change anything.

Most importantly, if you don't actually have the number on hand, then the most effective thing to do is just submit the transaction without it. If you send the transaction with the number, your transaction will probably be accepted. If you send the transaction without the number, it will probably still be accepted. But if you submit it with the wrong number, then it will always be rejected.

So playing the numbers game, your chances of the transaction being accepted are higher if you just ignore the CVV2 number than they would be if you randomly guessed at it.

And since every transaction attempt is recorded by the card company, you can't really mount a brute-force attack on it either. Too many incorrect guesses and your your merchant account could get flagged. Then the whole game is over.

It doesn't need to be incredibly secure as banks will lock you out pretty quickly if you get it wrong and even if you get it right they have heuristics programs which will block transactions.

Any security breaches will be paid for by the bank's insurance company so they have to balance the cost of a security breach against the cost of losing a customer because their security measures make it almost impossible to make an online transaction.

The expected number of attempts before a successful payment is 500 for a 3-digit CVV and 5000 for a 4-digit CVV. For an offline bruteforce, this would be comically trivial to break, but a CVV verification requires communication with the card provider. As such, even a small number of attempts will trigger an automatic fraud prevention and block the card.

Whilst this doesn't prevent 100% of fraud, that's not the goal of the bank. They know that it's impossible to prevent entirely, so their goal is simply to reduce fraud to a level where a balance is reached between prevention costs and insurance costs. They can prevent 95% of fraud with relatively cheap measures, but the last 5% costs as much to prevent as all other fraud combined. At that point, they can cover the rest with insurance at a lesser cost than the stringent and expensive security measures.

So yes, 3 or 4 digits is enough for verification during card transactions.